Exchanging Secrets Without Using Cryptography 

Iris Safaka, Mahdi J Siavoshani, Uday PuUeti, Emre Atsan, 
Christina Fragouli, Katerina Argyraki, Suhas Diggavi 
(EPFL and UCLA) 



O 
(N 

> 

o 
O 

U 

> 

o 



X 



Abstract — We consider the problem where a group of n 
nodes, connected to the same broadcast channel (e.g., a wireless 
network), want to generate a common secret bitstream, in the 
presence of an adversary Eve, who tries to obtain information on 
the bitstream. We assume that the nodes initially share a (small) 
piece of information, but do not have access to any out-of-band 
channel. We ask the question: can this problem be solved without 
relying on Eve's computational limitations, i.e., without using any 
form of public-key cryptography? 

We propose a secret-agreement protocol, where the n nodes 
of the group keep exchanging bits until they have all agreed 
on a bit sequence that Eve cannot reconstruct with very high 
probability. In this task, the nodes are assisted by a small number 
of interferers, whose role is to create channel noise in a way 
that bounds the amount of information Eve can overhear. Our 
protocol has polynomial-time complexity and requires no changes 
to the physical or MAC layer of network devices. 

First, we formally show that, under standard theoretical 
assumptions, our protocol is information-theoretically secure, 
achieves optimal secret-generation rate for n = 2 nodes, and 
scales well to an arbitrary number of nodes. Second, we adapt 
our protocol to a small wireless 14 m^ testbed; we experimentally 
show that, if Eve uses a standard wireless physical layer and is 
not too close to any of the nodes, 8 nodes can achieve a secret- 
generation rate of 38 Kbps. To the best of our knowledge, ours 
is the first experimental demonstration of information-theoretic 
secret exchange on a wireless network at a rate beyond a few 
tens of bits per second. 

I. Introduction 

We consider the problem where a group of n nodes, 
connected to the same broadcast channel (e.g., a wireless 
network), want to generate a common secret bitstream, in the 
presence of an adversary Eve, who tries to obtain information 
on the bitstream. We assume that the n nodes initially share 
a (small) piece of information, but do not have access to any 
out-of-band channel or public-key infrastructure. Today, this 
problem can be solved using public-key cryptography, such 
as the Diffie-Hellman fll or the RSA f2\, f3l \ key-agreement 
protocols: the nodes could use the initially shared information 
to form public keys, then periodically use a key-agreement 
protocol to generate new secrets. These protocols make the 
assumption that Eve does not have the computational resources 
to perform certain operations, such as large-integer factoriza- 
tion. We ask the question: can we solve this problem without 
making any assumption about the adversary's computational 
capabilities, i.e., without using public -key (or any classic form 
of) cryptography? 

Our work is based on the following observation: whereas 
one node's transmission may be overheard by multiple nodes, 
if there is noise in the broadcast channel, it becomes unlikely 
that any two nodes overhear exactly the same bits. To illustrate, 
consider a person speaking in a low voice in a crowded room — 
people standing nearby will hear parts of the speech, but if the 



room is sufficiently noisy, it is unlikely that any two of these 
people (standing at different locations) will hear the exact same 
parts of what the speaker says. We build upon this observation 
and use channel noise to prevent eavesdroppers from hearing 
exactly the same bits as honest participants. We propose a 
new secret-agreement protocol, where the n honest nodes keep 
exchanging bits until they have all agreed on a bit sequence 
that Eve, with very high probability, cannot reconstruct. In this 
task, the n nodes are assisted by interferers that create the right 
kind and level of noise to bound the amount of information 
that Eve overhears. 

Unlike existing cryptographic solutions to this problem, 
which rely on the fact that the adversary cannot compute some 
function, our protocol relies on the fact that the adversary can- 
not overhear all the information received by an honest node. 
In other words, we shift the challenge from computation to 
network presence: for cryptographic approaches, a dangerous 
adversary is one with high computational power (e.g., one with 
access to quantum computers); for our approach, a dangerous 
adversary is one who is physically present in many locations 
in the network at the same time. 

We do not imply that there is any pressing need to re- 
place the existing crypto-systems that rely on the adversary's 
computational limitations. However, we believe that exploring 
alternative approaches (which rely on different kinds of ad- 
versary limitations) will become of increasing interest in the 
near future, as governments and corporations acquire massive 
amounts of computational capabilities, and as new technolo- 
gies, such as quantum computing, mature. This interest is 
already present in the industry community, where several com- 
panies are developing quantum key distribution (QKD) sys- 
tems [31; these enable a pair of nodes to exchange a bitstream 
that is information-theoretically secure, i.e., an adversary that 
observes the exchange obtains information on the bitstream, 
independently from her computational capabilities. A typical 
commercial application envisioned for QKD systems is the 
periodic generation of one-time pads at a high enough rate to 
enable information-theoretically secure transmission of real- 
time video, e.g., for military operations i4J. On the other hand, 
QKD systems are expensive due to the need for sophisticated 
equipment, such as photon detectors. This motivated us to 
start exploring the feasibility of secrecy that does not rely on 
computational limitations, but also does not require expensive 
equipment. 

In this paper, we make one theoretical and one practical 
contribution: 

(1) On the theory side, we design a protocol that enables 
n > 2 nodes, which are connected to the same broadcast chan- 
nel and initially share a small common secret a, to establish 



a common secret bitstream. Assuming a typical information- 
theory model (independent erasure channels between the nodes 
and known erasure probabilities), we formally show that: (i) 
our protocol is information-theoretically secure; (ii) it achieves 
a secret-generation rate that is optimal for n = 2 nodes and 
scales well to an arbitrary number of nodes n. (iii) it requires 
per-node operations that are of polynomial complexity. To 
the best of our knowledge, we advance the state of the art 
in information-theoretic security by (i) allowing groups to 
have an arbitrary number of nodes n, and (ii) providing a 
polynomial-time protocol that is implementable even in the 
simplest wireless devices without any changes to their MAC 
or physical layers. 

(2) On the practical side, we adapt our protocol to a small 
wireless testbed that covers an area of 14 m^ and consists 
of 8 trusted nodes, 6 interferers (each with two directional 
antennae), and an adversary. We experimentally show that, in 
our testbed, if the adversary uses a standard wireless physical 
layefl and is located within no less than 1.75 m from any 
trusted node, the n = 8 trusted nodes achieve a common 
secret generation rate of 38 secret kilobits per second. This 
is in contrast to the state of the art in deploying information- 
theoretical security on wireless networks, which achieves (only 
pair-wise) secret-generation rates on the order of a few tens 
of bits per second. To the best of our knowledge, ours is 
the first experimental demonstration of information-theoretic 
secret exchange on a wireless network at rates of kilobits per 
second. 

We think that this is an important first step toward bridging 
the gap between theoretical and practical work in this area: on 
the one hand, we confirm that the criticism typically addressed 
at theoretical work on information-theoretic security (indepen- 
dent erasure channels and predictable erasure probabilities are 
not realistic network conditions) is valid; on the other hand, 
we demonstrate that it is feasible to emulate these conditions 
in a real wireless network, enough to generate an information- 
theoretically secure bitstream of tens of kilobits per second. 
That said, we still need to complete several steps before our 
protocol is ready for non-experimental deployment: we need 
to harden it against collusion and wireless denial-of-service 
attacks; and we need to find a more practical and energy- 
efficient way of creating interference than using dedicated, 
trusted interfering nodes (discussion in Section IVIIIt . 

In the rest of the paper, we summarize the main idea 
behind our work (20. we describe our basic secret-agreement 
protocol, which is information-theoretically secure against a 
passive adversary (i HIIb . state its properties (i jlVI ). and describe 
how to secure the protocol against active adversaries (ifVll. 
Next we describe how we adapted our protocol to a small 
wireless testbed ( Wil l and present our experimental results 
( Will ). Finally, we discuss limitations and challenges ( WIIIl l 
and related work ( §IXb . and we conclude (^Xj. 

'We argue that our protocol will work well even if the adversary possesses 
a custom physical layer, but we have not showed this experimentally. 



II. Setup 

A. Problem Statement 

We consider a set of n > 2 trusted nodes. To, . . . ,Tn-i, 
which share an initial common secret a and are connected to 
the same broadcast channel; we will refer to these nodes as 
terminals; sometimes we will refer to terminals To, Ti, and 
T2 respectively as Alice, Bob, and Calvin. We also assume 
that we have available m trusted interferers, i.e., nodes that 
can generate noise. 

We consider an adversary. Eve, who is connected to the 
same broadcast channel as the terminals, but has information 
on (7. When we say that Eve acts as a "passive" adversary, 
we mean that she does not perform any transmissions, i.e., 
she only tries to eavesdrop on the terminals' communications; 
when we say that Eve acts as an "active" adversary, we mean 
that she may perform transmissions, e.g., try to impersonate 
a terminal. As a first step, in this paper, we assume that Eve 
only has access to a standard physical layer, i.e., no custom 
hardware. Also we assume that there is no collusion, i.e., 
there may be multiple adversaries like Eve, and each of them 
may move around the network, but they may not exchange 
information. In Section IVIIII (where we discuss the limitations 
of our proposal), we describe how we believe that these issues 
can be addressed. 

Our goal is to design a protocol that enables the n terminals 
to establish a new common secret S of size \S\ ^ \a\, such 
that Eve (whether acting as a passive or active adversary) 
obtains information on S. By periodically running this 
protocol, the terminals will be able to establish a common 
secret bitstream. 

The terminals communicate with each other in two ways: (1) 
When we say that terminal Ti transmits a packet, we mean that 
it broadcasts the packet once. (2) When we say that terminal 
Ti reliably broadcasts a packet, we mean that it ensures that all 
other terminals Ti receive it, e.g., through acknowledgments 
and retransmissions; to be conservative, we assume that Eve 
receives all reliably broadcast packets | 

We assume a packet-erasure channel between each pair of 
nodes: when Ti transmits a packet, Tj (or Eve) receives the 
entire packet correctly with probability 1 — 5, or does not 
receive it at all; S is the erasure probability of the channel 
between Ti and Tj (or Eve). 

We summarize the most commonly used symbols in Table IH 

B. Main Idea 

We define the "theoretical" network conditions as follows: 

1) The channel between Alice and any other terminal Ti is 
independent from the channel between Alice and Eve, 
i.e., when Alice transmits a packet, the event that Ti 
receives it is independent from the event that Eve does. 

2) We know the erasure probability 6e of the Alice-Eve 
channel. 

^Our use of reliable broadcasting is similar to the use of a "public channel" 
in information theory, with the difference that we do not assume that this 
channel has zero cost, i.e., when we compute protocol efficiency, we do take 
into account the transmissions made using this channel. 



Suppose, for the moment, that these theoretical conditions 
hold and that we have only n ~ 2 terminals, Alice and Bob. 
The erasure probability of the Alice-Bob channel is Si = 0.5 
and of the Alice-Eve channel Se — 0.4, i.e.. Eve has better 
connectivity to Alice than Bob. 

Alice wants to establish a secret S with Bob. To this 
end, Alice transmits 10 packets, xi,X2, ■ ■ ■ , xiq. Bob correctly 
receives 5 of them, a;i, X3, xs, xy, xg. Eve correctly receives 
6 of the transmitted packets, xi,X3,X5,xq,xs,xio. At this 
point, there exist 2 packets, xr, xg, whose contents are known 
to both Alice and Bob, but not to Eve. Alice does not know 
which are these packets, but she can guess how many they 
are: First, she learns which packets Bob received (which is 
easily accomplished by having Bob send a feedback message 
to Alice, specifying the identities of the packets he received). 
Combining this piece of information with the erasure prob- 
ability between Alice and Eve, 5e, Alice can compute the 
expected number of packets received by Bob but not Eve; 
in our example, 5e = 0.4, hence, of the 5 packets that Bob 
received. Eve is expected to not have received 0.4 -5 = 2 
packets. 

Alice and Bob establish a secret by performing privacy am- 
plification: Alice creates 2 linear combinations of the packets 
that Bob received, si = xiQx^Qxg and S2 = 2:30x7 (where 
© denotes the bit-wise XOR operation over the payloads of 
the corresponding packets), and creates the secret as their 
concatenation, S — (si,S2)- Then, Alice reliably broadcasts 
to Bob which packets to combine to also create the secret. 
Even though Eve receives the reliable broadcast and learns 
the identities of the packets that were combined to create the 
secret, she cannot compute either si or S2, because she does 
not know the contents of xy and xg. 

C. Challenges 

To turn the above idea into a secret-agreement protocol, we 
answer the following questions: 

(1) Choosing the right linear combinations. In the above 
example, Alice chose 2 particular linear combinations, whose 
values Eve could not compute, i.e., Alice performed privacy 
amplification using very simple linear operations. But is it 
always possible for Alice to choose linear combinations of 
the packets received by Bob, such that Eve cannot compute 
their values (without knowing which packets Eve received)? 

(2) Extending to multiple nodes. Suppose that we have 
not two, but three terminals, Alice, Bob, and Calvin, that need 
to establish a common secret S. Of course, once we have a 
scheme that works for two terminals, Alice could use it to 
establish a secret, Sb, with Bob, a separate secret, Sc, with 
Calvin, then secretly communicate to each of Bob and Calvin 
a common secret S. However, intuitively, we should be able 
to do better — surely. Bob and Calvin must have received a 
common subset of Alice's packets. How can we leverage this 
common subset to build a better protocol, and how do we 
generalize it to an arbitrary number of terminals n? 

We address questions (1) and (2) in Section |III1 where 
we present a secret-agreement protocol between n nodes. 



which assumes theoretical network conditions and passive 
adversaries. 

(3) Deterring active attacks. In the above example. Eve 
only tried to eavesdrop on Alice's and Bob's communications. 
In reality, she could also try to impersonate them, e.g., pretend 
to be Alice and initiate the secret exchange with Bob. So, how 
do we prevent impersonation by adversaries? 

We address question (3) in Section |V] where we describe 
how to add authentication to our secret agreement to protect 
it against active adversaries. 

(4) Emulating the theoretical network conditions. In the 
above example, Alice and Bob were able to establish a secret, 
because the Alice-Bob channel was independent from the 
Alice-Eve one, which ensured that Bob received some packets 
that Eve did not receive. In reality, we cannot assume this: if 
Eve positions herself close to Bob, it is quite likely that she 
will receive all the packets that he receives. The next question 
then is, can we artificially condition a real wireless network, 
so as to ensure that Bob (or any trusted node) receives some 
minimum number of packets that Eve does not receive? 

(5) Estimating what the adversary received. In the above 
example, Alice created a secret by concatenating 2 linear com- 
binations, exactly as many as the number of packets received 
by Bob but not Eve. This is the longest secret that Alice and 
Bob could establish without reveahng any information about 
the secret to Eve: suppose they attempted to generate a longer 
secret, by creating and concatenating 3 linear combinations 
of the packets received by Bob, e.g., S = {si,S2, S3), where 

Si = Xi®X5®Xg, S2 — X3®X7, and S3 — X3ffiX5®X7®Xg; 

but then. Eve would learn something about the secret — that 
si ® S2 ® S3 = xi, which would increase her chances of 
guessing the secret. The gist is that, since there are only 2 
packets received by Bob but not Eve, there exist exactly 2 
linear combinations of the packets received by Bob that do not 
reveal any information to Eve. Hence, it is important for Alice 
to correctly guess how many packets were received by Bob 
but not Eve: if she overestimates this number, she will create 
a longer secret than she should, i.e., reveal some information 
about the secret to Eve; if she underestimates this number, 
she will create a shorter secret than she could, i.e., achieve a 
lower secret-generation rate than the maximum possible. So, 
the last question is, how do we estimate how many packets 
Eve received in order to create the right secret size? 

We address questions (4) and (5) in Section IVIII where 
we adapt our secret-agreement protocol to a small wireless 
testbed. 

D. Background 

We now summarize the background needed to read the rest 
of the paper Readers who are familiar with linear coding and 
information-theoretic secrecy can skip this section. 

Consider two packets, xi and X2, of the same length. When 
we say that we linearly combine these packets over the field 
¥2=, we mean that: (1) We take the contents of packet xi and 
interpret every s consecutive bits as a symbol; as a result, we 
get a sequence of symbols, {pi,p2, ■ ■ ■)■ (2) We do the same for 



X2, such that we get another sequence of symbols, (gi, 52, • • •)■ 
(3) We perform some linear operation, denoted by ©, over each 
pair of symbols pi and qi, the resulting sequence, {pi®qi,P2® 
52, ■ • ■), is the outcome of the linear combination of the two 
packets. For example, if our field is F2, i.e., s — 1, then we 
interpret each bit as a symbol; in that case, performing a linear 
combination is equivalent to bitwise XOR-ing the contents of 
the two packets. 

The secrecy of a system S can be expressed as a function 
of its entropy, H{S), which is a measure of an eavesdropper's 
uncertainty about the system. By observing the system, the 
eavesdropper may learn something about it; this is captured by 
the concept of conditional entropy, H{S\0), which expresses 
the eavesdropper's uncertainty about the system S, after she 
has completed her observation, O. A system S is information- 
theoretically secure, when, by observing S, an eavesdropper 
does not decrease her uncertainty about it, i.e., H{S\0) 
H{S). 

In our context, the "observer" is Eve, the "system" is 
the secret S, and Eve's "observation" is the set of packets 
transmitted by the terminals that Eve receives, Xe- In the 
worst case, after making her observation, Eve knows the 
value of S, in which case H{S\Xe) 0. In the best case, 
after making her observation. Eve knows only the length \S\ 
of the secret, i.e., to her, S is equally likely to have any 
value from to 2l'^l^^; in this case, H{S\Xe) — > — logj;^, 
which is the maximum uncertainty that Eve can ever have 
about S. So, we say that our secret agreement is information- 
theoretically secure, when, by receiving the set of packets Xe, 
Eve does not decrease her uncertainty about the secret, i.e., 
H{S\Xe) ^ H{S) ^- log 

E. Quality Metrics 

We use two metrics to characterize the quality of our secret- 
agreement protocol: 

Reliability. R = ^^^^^^ ^ , where S is the secret generated 
by the protocol, Xe is the set of packets transmitted by the 
terminals and correctly received by Eve, H{S) is 5's entropy 
from Eve's point of view, and H{S\Xe) is iS's conditional 
entropy from Eve's point of view, after Eve has received Xe- 
Reliability R means that Eve can correctly guess each secret 
bit of S with probability 2^^, hence the entire secret S with 
probability 2^^l'^l. In the example of Section ITl-BI Eve learns 
nothing about S after receiving packets xi,X3,X5,xe, xg, xio, 
hence the reliability of that particular secret agreement is 1. 

Efficiency. E = ..^^.JL. - This captures the cost of 
our protocol, i.e., the amount of traffic it produces in order 
to generate a secret of a given length. Maurer has formally 
shown that, assuming the theoretical network conditions, the 
maximum efficiency that can be achieved when we have two 
terminals, Alice and Bob, is E — <5e(1 — where Se 
and Si are Eve's and Bob's erasure probabilities, respectively 
(although he has not shown how to achieve this upper bound 
using operations of bounded complexity) |17|. In the example 
of Section Hl-BI Alice sends 10 packets in order to establish a 
secret whose length corresponds to 2 packets; hence, ignoring. 



Symbol 


Meaning 


n 


Number of terminals 


m 


Number of trusted interferers 


T, 


Terminal i 


Se 


Erasure probability of Alice-Eve channel 


Parameters used in both the Basic and Adapted protocols 


N 


Number of x-packets transmitted by Alice 




(initial phase, step 1) 


N* 


Number of x-packets received by at least 




one terminal (initial phase, step 1) 




Number of x-packets received by Ti 




(initial phase, step 1) 


M 


Number of j/-packets created in the initial phase 




(initial phase, step 3) 




Number of i/-packets reconstructed by Ti 




(initial phase, step 4) 


L 


Number of s -packets created by Alice 




(reconciliation phase, step 3 (Basic) or step 4 (Adapted)) 


Parameters used only in the Adapted protocol 


Ml 


Number of ^/-packets created by terminal Tj 




in the Adapted protocol (step 1, initial phase) 


K, 


Number of 2-packets created by terminal Ti 




in the Adapted protocol (step 2, reconciliation phase) 



TABLE I 
Commonly used symbols 



for the moment, the feedback sent by Bob to Alice, the 
efficiency of that particular secret agreement is i? = 0.2, which 
is the maximum possible according to Maurer's upper bound. 

Ideally, we want our protocol to have reliability 1 and 
efficiency that is equal to the known optimal for n = 2 
terminals and scales well to an arbitrary number of terminals. 

III. Basic Secret- Agreement Protocol 

In this section, we describe a secret-agreement protocol that: 
given n trusted nodes, it allows them to create a common 
secret S. We will show that, assuming the theoretical network 
conditions, a passive adversary obtains information about S. 

A. Gist 

Alice first transmits N packets. Suppose that, of these, N 
are commonly received by all the terminals, hence 5eN are 
received by all the terminals but not Eve. At this point, Alice 
could create a secret by creating SeN combinations of the 
N commonly received packets (as she did in the example of 
Section III-BI ); however, N decreases exponentially with the 
number of terminals, such that 5eN quickly goes to 0. Instead, 
Alice transmits a second round of packets, with the purpose of 
increasing the amount of information that is commonly known 
to her and all the other terminals, without increasing, as much 
as possible, the amount of information known to Eve. 

Hence, our protocol consists of two phases. In the initial 
phase, Alice transmits N packets, which results in her sharing 
some number of (different) secret packets with each terminal. 
In the reconciliation phase, Alice transmits additional informa- 
tion, which results in her sharing the same secret packets with 
all terminals. I.e., the reconciliation phase does not increase 
the number of secret packets shared by Alice and any terminal, 
just "redistributes" them, such that all terminals share the same 
number of secret packets. 

The basic structure of the two phases is similar: Alice 
first transmits some number of packets (e.g., xi, . . . xiq); she 
creates linear combinations of these packets (e.g., 1/1,2/2) and 



tells the other terminals how she created each combination 
(e.g., that yi ~ xi ® ® xq and y2 — x^ (B x-j); each 
terminal reconstructs as many linear combinations as it can 
(depending on which initial packets it received). The point of 
this exchange is always to "mix" the information shared by 
the terminals, such that, even if Eve has overheard some of 
the initial packets, she still has no information on the linear 
combinations. 

B. Basic Protocol Description 
Initial Phase: 

1) Alice transmits N packets (we will call them x-packets). 

2) Each terminal T^^o reliably broadcasts a feedback mes- 
sage specifying which a;-packets it received. 

3) Alice creates M linear combinations of the a;-packets 
(we will call them y-packets), as described in "y- 
packet construction" below. She reliably broadcasts the 
coefficients she used to create the y-packets. 

4) Each terminal Ti^o reconstructs as many (say Mi) of 
the y-packets as it can. 

At this point, Alice shares Mi y-packets with each terminal 
Ti. If n ~ 2 terminals, the common secret is the concatenation 
of the Ml y-packets shared with Ti, S ^ (yi, . . . , yMi), and 
the protocol terminates. 
Reconciliation Phase: 

1) Alice creates M — mini Mi linear combinations of the 
y-packets (we will call them z-packets), as described in 
"z-packet construction" below. She reliably broadcasts 
both the contents and the coefficients of the z-packets. 

2) Each terminal Ti^o reconstructs all the AI y-packets by 
combining the Mi y-packets it reconstructed in step 4 
of the initial phase with M — Mi of the z-packets. 

3) Alice creates L = min^ Ali linear combinations of the 
y-packets (we will call them s-packets), using the con- 
struction specified in Lemma |6] (Appendix, Section [All. 
She reliably broadcasts the coefficients she used to create 
all the s-packets. 

4) Each terminal Ti^Q reconstructs all the s-packets. 

At this point, Alice shares the same L = min^ Mi s- 
packets with each terminal Ti. The common secret is the 
concatenation of these s-packets, S = (si,...,sl), and the 
protocol terminates. 

y-packet construction: Alice identifies the A^* x-packets 
that were received by at least one terminal. She considers 
each subset of terminals J', identifies the N'^ x-packets 
that were received by all the terminals in the subset but no 
other terminals, and creates SeN'^ linear combinations of 
these packets using the construction specified in Lemma |5] 
(Appendix, Section |A]i. As a result, she creates 5eN* linear 
combinations. For an illustration, see Figure [T] 

z-packet construction: Alice chooses the z-packets such 
that: every terminal r,;^o can combine M — Mi z-packets with 
the Mi y-packets it reconstructed in step 4 of the initial phase, 
and reconstruct all the M y-packets; choosing the z-packets 
can be done using standard network-coding techniques [il 11 . 



C. An Example Agreement 

We will now illustrate the role of each step through a 
simple example (Figure [T]l: Alice wants to create a common 
secret with 2 other nodes. Bob and Calvin; both the Alice-Bob 
channel and the Alice-Calvin channel have the same erasure 
probability 5i = 82 — 5; the Alice-Eve channel has erasure 
probability 5e- Assume that Eve is a passive adversary, i.e., 
she never performs any transmissions. 

In step 1 of the initial phase, Alice transmits N x-packets. 
Assume that N is large enough that, at the end of this step. Bob 
has received Ni — )■ [1 — 5)N x-packets, Calvin has received 
iV2 — > (1 — 5)N x-packets, and Bob and Calvin together have 
received A^* (1 — 5'^)N x-packets. 

In step 3 of the initial phase, Alice creates the y-packets, 
which encode all the secret information that is shared, at this 
point, by Alice and each terminal separately: She creates M — 
5e{^ — S'^)N y-packets. Among these, there are Mi = SeNi 
y-packets, which are linear combinations of the A'^i x-packets 
received by Bob; these encode all the information that is shared 
by Alice and Bob but not Eve. Similarly, there are M2 « Mi 
y-packets, which are linear combinations of the N2 « A^i x- 
packets received by Calvin; these encode all the information 
that is shared by Alice and Calvin but not Eve. So, at the end 
of the initial phase, Alice shares Mi secret packets with Bob 
and Ml (different) secret packets with Calvin. 

In the reconciliation phase, Alice first tries to reach a point 
where she shares with both Bob and Calvin all the M y- 
packets. To this end, in step 1 of the reconciliation phase, Alice 
creates the z-packets, which encode the difference between 
what Bob and Calvin already know and what Alice wants them 
to know: she creates and reliably broadcasts M — Mi linear 
combinations of the y-packets. In step 2 of the reconciliation 
phase. Bob combines the Mi y-packets he already knows with 
the M — Ml linear combinations of the y-packets broadcast by 
Alice and reconstructs all the M y-packets (and Calvin does 
the same). 

Now consider Eve: Assume that N is large enough that, at 
the end of the initial phase. Eve has received Me — > (1 — 
6e)N* of the x-packets received by either Bob or Calvin or 
both. Hence, Eve cannot reconstruct any of the M = SeN* 
y-packets. In step 1 of the reconciliation phase, Alice reliably 
broadcasts M — Mi linear combinations of the y-packets (in 
order to fill in Bob's and Calvin's missing information). Eve 
also receives this broadcast. Hence, at the end of step 2 of 
the reconciliation phase. Eve can reconstruct M — Mi of the 
y-packets. 

Based on what we have said so far, at the end of step 2 
of the reconciliation phase. Bob and Calvin know all M y- 
packets, while Eve knows M — Mi y-packets. Hence, in step 3 
of the reconciliation phase, Alice creates the s-packets, which 
encode all the secret information that is shared, at this point, by 
Alice, Bob, and Calvin: she creates Mi s-packets, which are 
linear combinations of all the M y-packets. The concatenation 
of the Ml s-packets is the common secret S. 

To recap, at the end of the initial phase, Alice shares Mi 
different secret packets with each of Bob and Calvin, whereas 



Bob receives 
Ni = \Xi\^\Xi2\ a:-packets N2 




Initial Phase, Step 1 

Alice transmits N a;-packets 
Calvin receives Eve receives 

1-^21 + I -^12 1 x-packets A''^ x-packets 



Xi'. x-packets received by Bob, not Calvin 
X2: a;-packets received by Calvin, not Bob 
X12: a;-packets received by Bob and Calvin 

Initial Phase, Step 3 



vAlice constructs Ad y-packets. 



|3^i| ^^^bIA-iI from A-i, 
1:^21 ^Se\X2\ from A-a, 
13^12 1 = 1^12 1 from X12. 



Bob reconstructs 
Ml = SeNi y-packets 



Initial Phase, Step 4 

Calvin reconstructs 
M2 = SeN2 y-packets 

Reconciliation Phase, Step 1 



Eve reconstructs 
Me y-packets 



Alice reliably broadcasts M — Mi linear combinations of the y-packets 
Reconciliation Phase, Step 2 



Bob reconstructs 
all the M y-packets 



Calvin reconstructs Eve reconstructs 

all the M y-packets M'^ y-packets 

— Reconciliation Phase, Step 3 

Alice constructs Mi s-packets 

— Reconciliation Phase, Step 4 



Bob reconstructs 
all the Ml s-packets 



Calvin reconstructs 
all the Ml s-packets 



Eve reconstructs 
Me s-packets 



Parameter values 



Ni=N2^ {1~ S)N 
NE^il- Se)N 



M = (5ij(l - S^)N 



Ml = M2 - SeNi 
-^dE{l-S)N 
Me 



M'p M - Ml 



Ml Se{1 - S)N 



Me-^0 



Fig. 1. Alice, Bob, and Calvin establish a common secret <S in the presence of passive adversary Eve. 



at the end of the reconciliation phase, she shares Mi common 
secret packets with both of them. So, the reconciliation phase 
does not increase the amount of secret information shared by 
Alice and each terminal, but "redistributes" information, such 
that Alice ends up sharing the same secret information with 
all the terminals. 

D. Discussion of Key Points 

The size of the established common secret is L = 
ia.va.iMi = (5b mini A'^^i = '^^(l — maxi^i)iV: the minimum 
number of x-packets that are received by a terminal but not 
Eve. In other words, the size of the established common secret 
is determined by the weakest terminal, i.e., the one that shares 
the least amount of secret information with Alice at the end 



of the initial phase. This means that, if Alice can establish a 
secret of size L with Bob, and then we add another terminal, 
Calvin, who has better connectivity to Alice than Bob, then 
the three terminals can establish a common secret of the same 
size L — i.e., adding Calvin to the group will not decrease the 
size of the established secret. 

So, increasing the number of terminals from 2 to n does 
not necessarily decrease the size of the established common 
secret. For instance, if all the terminals have identical channels 
{5i = S,\/i), then the size of the established common secret is 
L — Se{1 — S)N, which is equal to the size of the secret estab- 
lished between two terminals in the example of Section III-BI 
Moreover, the extra transmissions that Alice has to make in the 
reconciliation phase are M - (5_e(1 - S)N < N -Se{1- S)N, 



i.e., M is upper-bounded by a constant that is independent of 
n. As we will see in the analysis section, this independence 
from n is key to the scalability of our protocol. 

Linear coding is used to two different effects by our 
protocol: (1) As a means to fill in the information missing from 
each terminal by transmitting the minimum number of packets: 
In step 1 of the reconciUation phase, the M — min^ Mi z- 
packets are linear combinations of the M y-packets; given that 
each terminal already knows at least min^ Mi j/-packets from 
the initial phase, it can reconstruct all M y-packets. (2) As a 
means to perform privacy amplification, i.e., combine all the 
information known to the terminals but not to Eve: In step 3 of 
the initial phase, Alice creates 5eN* y-packets that are linear 
combinations of the N* a;-packets received by at least one 
terminal; assuming Eve has missed SeN* of these a; -packets, 
she cannot reconstruct any of the y-packets. Similarly, in step 
3 of the reconciliation phase, Alice creates min,; Mi s-packets 
that are linear combinations of the M y-packets known to all 
the terminals; assuming Eve has missed min^ Mi y-packets, 
she cannot reconstruct any of the s-packets. 

Point (2) assumes that N (hence also N*) is large enough 
that, if the Alice-Eve channel has erasure probability 6e, 
then Eve misses close to 6eN* of the N* .T-packets. Of 
course, it is theoretically possible that Eve gets lucky and 
receives significantly more x-packets than expected; however, 
by picking the right value for N, we can make this event 
arbitrarily unlikely (e.g., as likely as Eve correctly guessing the 
value of the secret S by randomly picking a number between 
and In Section IVlIl where we present our experimental 
results, we show exactly how much information Eve collects 
about every generated common secret S. 

IV. Protocol Analysis 

In this section, we state certain properties of the Basic 
secret-agreement protocol and also present a formal argument 
on why we chose this particular protocol over a more obvious 
alternative. 

Lemma 1. If the theoretical network conditions hold, there 
exists a sufficiently large N for which the Basic secret- 
agreement protocol is information-theoretically secure against 
a passive adversary. 

Lemma 2. If the theoretical network conditions hold, there 
exists a sufficiently large N for which the Basic secret- 
agreement protocol achieves efficiency 

p_ Se{1^6) 
1 + Se{S~A)' 

where 6 — maxi{(5i} and A 6162 ■ ■ ■ iJn-i- 

To give a sense of the achieved efficiency, we consider the 
case where 6i — 6e (all the channels between Alice and 
any node are identical) and plot, in Figure |2] (solid lines), 
the efficiency of our protocol as a function of the erasure 
probability of the channels, for different values of the number 
of terminals n. The bell-shape of the curve is explained as 
follows: when the erasure probability is 0, Eve misses none 



0.25 


11=2 ^"■'''71=3 




0.2 






0.15 






0.1 


X n=6 




0.05 









jh'' n=ao 





0.5 1 

Eraslue Probability 

Fig. 2. Efficiency of secret agreement as a function of the erasure probability 
of the channels (assuming identical erasure channels) for our protocol (solid 
lines) and the alternative protocol (dashed lines). 

of the packets transmitted by Alice, which means that Alice 
cannot establish any secret with the other terminals, no matter 
how many packets she transmits — Whence, the efficiency of the 
protocol is 0; when the erasure probability is 1, Eve misses 
all of the packets transmitted by Alice, but so do all the other 
terminals, so, again, the efficiency of the protocol is 0; the 
maximum efficiency is achieved somewhere in between (at 
erasure probability 0.5 when we have n — 2 terminals, and at 
V2 — 1 when n 00). The shift of the maximum point is 
due to the additional (by at most — min^ Mi) transmissions 
performed in the reconciliation phase. Note that, as the number 
of terminals goes to infinity, the maximum efficiency of our 
protocol approaches 20% — a substantial non-zero value. 

The Basic protocol scales well with the number of terminals 
because we try to leverage broadcasting as much as possible. 
If we were, instead, to require pairwise secret establishment 
between Alice and each terminal, efficiency would quickly 
go to with the number of terminals. To see this, consider 
the following, conceptually simpler alternative to the Basic 
protocol: Alice establishes a separate secret Si with each other 
terminal Tj (using the initial phase of the Basic protocol) 
and uses Si to convey a common secret S to each Ti (e.g., 
reliability broadcasts Aii — S®Si for all i 7^ 0). Its efficiency 
is = i+(n-2)Mi-a) ' ■^here S = max, (5,. Figure |2] 

shows this efficiency (dashed lines), plotted against the effi- 
ciency of the Basic protocol (solid lines), as a function of the 
erasure probability of the channels, assuming all channels are 
identical. Notice that, unlike the efficiency of our protocol, 
^(ait) quicjjiy goes to zero as the number of terminals n 
increases. 

Lemma 3. If the theoretical network conditions hold, then, 
for n = 2 terminals, the Basic protocol achieves maximum 
efficiency. 

This is directly derived from Lemma |2] for n = 2 terminals, 
we achieve efficiency = — &i), which is the maximum 
possible Ifm . 

Lemma 4. Each terminal that participates in the Basic 
protocol executes an algorithm that is polynomial in N. 

The proofs of Lemmas [T] and |4] are in the Appendix, 
Section |A] We omit the proof of Lemma |2] which is straight- 
forward. 



V. Authentication 

The Basic protocol is information-theoretically secure 
against passive adversaries, but is vulnerable to active attacks: 
what if Eve impersonates a terminal, participates in the pro- 
tocol, and learns the common secret? 

To protect against impersonation attacks, the (true) terminals 
need to share an initial common secret a, of sufficient size 
to authenticate each other until they successfully complete 
one round of the Basic protocol; once they have successfully 
completed a round (and generated a new common secret S 
with \S\ ^ |a|), they can use a part of S to authenticate each 
other until the next successful round completion. 

Since we are aiming for information-theoretic security, 
the terminals use an unconditionally secure authentication 
code flO|. Such a code provides a function auth{^,a), which 
returns an authenticator a for message fi given key a, such 
that: an entity that does not know a can generate a valid 
message/authenticator pair (launch a successful impersonation 
attack) with probability where \A\ is the size of the 
authenticator space. 

Choosing at which step(s) of the Basic protocol to perform 
the authentication involves a trade-off between efficiency and 
the adversary model that we want to consider: At one extreme, 
each terminal appends an authentication code to every single 
packet it transmits or reliability broadcasts. At the other 
extreme, the terminals authenticate each other only at the last 
step of the reconciliation phase (i.e., each terminal obtains 
proof that all the other terminals with which it has created 
a common secret know the initial common secret a). The 
former requires a significantly larger cr to provide information- 
theoretic guarantees (because it reveals many more authentica- 
tors to the adversary). The latter makes the protocol vulnerable 
to a simple denial-of-service attack: in every protocol round. 
Eve impersonates a terminal and learns the common secret; at 
the end of the reconciliation phase, she fails to authenticate 
herself to the (true) terminals, causing the common secret to 
be discarded and the protocol to restart. 

We chose a solution in the middle, which, in our opinion, 
offers a good balance: authentication happens at the end of 
the initial phase, after step 4: 

4-A Alice performs pair-wise authentication (described be- 
low) with each terminal Tj^o. using the ?/-packets that 
Ti has reconstructed and the initial common secret a. 
If Alice fails to authenticate herself to Ti, Ti stops 
participating in the protocol. If T fails to authenticate 
itself to Alice, Alice excludes Ti from the agreement and 
discards all the y-packets that Ti has reconstructed. 

Pair-wise authentication consists of the following steps: 

1) Alice concatenates W bits selected from the y-packets 
that Ti has reconstructed in the initial phase, step 4, 
creates a message pi that contains this concatenation, 
and reliably broadcasts ai = auth{pi,a). 

2) Ti creates a message fi'^ in the same way and checks 
whether a; = auth{^^^ cr). If yes, Alice has successfully 
authenticated herself to Ti, otherwise, she has failed. 



3) Ti concatenates a different set of W bits from the y- 
packets that it has reconstructed in the initial phase, step 
4, creates a message Vi that contains this concatenation, 
and reliably broadcasts Pi — auth{vi,a). 

4) Alice creates a message v[ in the same way and checks 
whether /?; = auth{v[,(j). If yes, Ti has successfully 
authenticated itself to Alice, otherwise, it has failed. 

Regarding the size of the relevant parameters: Since we are 
using an unconditionally secure authentication code. Eve can 
launch a successful impersonation attack with probability ji^; 
for \a\ = 32 bits, this becomes 0.232 • 10^^. We authenticate 
messages of size W; unconditionally secure authentication 
codes require a key of twice the size of the authenticated 
message, hence W = |o'|/2 = 16 bits. 

Now suppose that Eve is an active adversary. First, she 
impersonates a terminal other than Alice. In this case. Eve 
fails to authenticate herself to Alice (initial phase, step 4-A) 
because she does not know a, causing Alice to exclude her 
from the agreement. This means that Alice discards all the 
y-packets that Eve has reconstructed, hence, at the end of the 
initial phase. Eve cannot reconstruct any of the (remaining) y- 
packets, i.e., she is in the same position as a passive adversary. 
Second, suppose that Eve impersonates Alice. In this case. Eve 
fails to authenticate herself to any of the other terminals (initial 
phase, step 4-A) because she does not know a, causing the 
terminals to stop talking to her. 

VI. Adapting to a Real Network 

In this section, we describe how we adapt our secret- 
agreement protocol to a small wireless testbed (14 m'^), where 
the theoretical network conditions do not hold. Instead, we 
use interferers to introduce noise and ensure that an adversary 
does not receive all the packets received by any terminal, as 
long as she has a minimum physical distance (1.76 m) from 
each terminal. 

A. Setup and First Try 

Our testbed (Figure|3} covers a square area of 14 rv?. We use 
m — & interferers, which are WARP nodes ifTSl . each with two 
directional antennae, each with a narrow 3-dB 22-degree beam. 
We deploy up to n = 8 terminals and one adversary. Eve, 
which are Asus WL-500gP wireless routers running 802. llg 
(at 2.472 GHz, transmit power 3 dBm) in ad-hoc mode. During 
our experiments, when a terminal transmits, it sends 100-byte 
packets at a rate of 1 Mbps. 

We logically divide the testbed area in 3 rows and 3 columns 
of equal width, place Eve in one of the 9 logical cells, and the 
terminals in various positions around her, but not in the same 
cell. Our rationale is the following: if a group of wireless nodes 
want to exchange a secret, it is reasonable to require from 
each of them to stand at least some minimum distance away 
from any other wireless node. In our testbed, this minimum 
distance is 1.76 m (the diagonal of a logical cell), and, as 
we explain below, it was determined by the shape of the 
interferers' beams; with a narrower beam, we would have 
achieved a smaller minimum distance. 





• T4 






■ 

Fvp 






/ 


•To 



Fig. 3. A testbed configuration. The six round nodes (Ti) are trusted terminals 
that are trying to establish a common secret S. The square node (Eve) is an 
adversary whose goal is to guess cS. 

We place the interfering antennae along the perimeter of 
the covered area (3 on each side); we turn them on and off, 
such that, at any point in time, one pair of antennae creates 
noise along a row, while another pair creates noise along 
a column; since we have 9 row/column combinations, there 
are 9 different noise patterns. To choose the width of the 
rows/columns, we performed a simple calibration using only 
two interfering antennae: we placed the antennae at opposite 
ends of the first row; we chose the width of the row to be 
the maximum width such that, when the antennae were on, 
any wireless node located in the row did not receive any other 
signal transmitted from within the 14 m^ covered area. Hence, 
the number of rows and columns was determined by the shape 
of the interfering antennae's beams; a narrower beam would 
have resulted in more rows and columns given the same area. 

Each experiment is divided in time slots; at the beginning 
of each time slot, we turn on different interferers, such that, 
by the end of the experiment, we have rotated through all 9 
noise patterns. 

The goal of rotating noise patterns is to emulate independent 
packet-erasure channels: Suppose Alice transmits N a;-packets 
during each experiment, equally spread across the 9 time slots. 
Assume that, during each time slot, each node located in the 
row or the column that are interfered with receives of Alice's 
packets, while each of the remaining nodes receives all of 
Alice's packets. Now consider the positioning of the terminals 
shown in Figure [3] Because terminal Ti is on the same row 
with Eve, 2 out of the 9 noise patterns affect Eve but not Ti; 
hence, if, during an experiment, Alice transmits N packets, 
0.22N of these packets are received by Ti but not Eve. This 
is the same outcome that we would have, if the Alice-T!; and 
Alice-Eve channels were independent, with Se{1 — Si) — 0.22. 

Our First Try. The reason why we need the theoretical 
network conditions in the Basic protocol is that they guarantee 
two facts: (i) each terminal Ti receives Mi = SsNi x- 
packets that are not received by Eve, and (ii) the union of all 
terminals receives M — 5eN* x-packets that are not received 
by Eve. These two numbers determine the main parameters 
of the protocol, namely how many y-packets (M), z-packets 
(M — minMi), and s-packets (L — min A/.;) Alice creates. 
In our testbed, we expected our controlled interference to 



ensure two similar facts: (i) each terminal Ti receives at least 
min A/i = 0.22iV a;-packets that are not received by Eve, and 
(ii) the union of all terminals receives at least M a;-packets 
that are not received by Eve, where M can be computed 
based on the number of cells occupied by terminals (we skip 
the computation for lack of space). Hence, even though the 
theoretical network conditions do not hold, we still know how 
many y-, z- and s-packets Alice should create. 

However, this rationale assumes that, when Alice transmits, 
all the nodes that are located in an interfered-with row or 
column receive nothing, while the rest receive everything. 
It turned out that, in practice, this cannot be guaranteed 
with probability 1, due to random channel-propagation effects, 
which creates two new problems: (1) Zero secret size: in rare, 
but statistically significant occasions, during an experiment. 
Eve receives all the a;-packets received by one of the terminals, 
i.e., min Mi — 0, which means that the terminals cannot create 
any common secret at all. (2) Unpredictable secret size: 
the value of min Mi varies significantly between experiments, 
which means that the terminals do not know how big a secret 
they should create (such that Eve has information about it). 
To address these two problems, we adapt our secret-agreement 
protocol as described in the next three sections. 

B. Gist 

To address the "zero secret size" problem, we make all the 
terminals take turns in transmitting x-packets. The idea is to 
make each terminal Ti receive information through multiple 
different channels (as opposed to receiving information only 
from Alice), making it unlikely that Eve will collect the 
same information with Ti. In particular. Eve collects the same 
information with terminal Ti only when: for every single 
terminal Tj^i, the channel between Tj and Ti happens to be 
the same with the channel between Tj and Eve, throughout the 
experiment. This never happened in any of the experiments 
that we ran. 

To address the "unpredictable secret size" problem, we 
estimate the amount of information that Eve collects based on 
the information collected by the terminals. I.e., we essentially 
pretend that each terminal Ti is Eve and that all the other 
terminals want to establish a common secret that is unknown 
to Ti\ since we know which packets were received by each 
terminal (including Ti), we can compute exactly what the size 
of this supposed secret should be. Then we combine all these 
computations to estimate the size of the actual common secret. 

We made this last choice based on the following obser- 
vations: Channel behavior varies significantly over time, to 
the point where we cannot estimate or even upper-bound how 
much information Eve collects during one experiment based on 
how much information she collected during past experiments. 
Channel behavior also varies over space, but less so: if, during 
an experiment, node Ti receives many packets in common with 
neighbor Tj, then node Ti most likely receives many packets 
in common with its other neighbors as well. It turns out that, 
by measuring how many packets each pair of neighboring 
terminals receive in common during one experiment, we can 



estimate quite accurately how many packets any terminal and 
Eve receive in common in the same experiment. 

C. Adapted Protocol Description 

Initial Phase: For j = l..n: 

1) Terminal Tj transmits N packets (we will call them x- 
packets). 

2) Each terminal T,;^j reliably broadcasts a feedback mes- 
sage specifying which a:-packets it received. 

3) Tj does the following: 

a) It counts the number of a; -packets Ni received by 
terminal T^, for all i ^ j- 

b) It counts the number of x-packets Af^^ received by 
both T, and Tfc, for all i,k^ j. 

c) It computes 6^ = for all i^j. 

d) It computes Se = max^ Si. 

e) It performs step 3 of the initial phase of the Basic 
protocol, using 6e ~ Se- 

As a result, Tj creates AP = SeN linear combinations 
of the x-packets (we will call them y-packets) and 
reliably broadcasts the coefficients it used to create them. 

4) Each terminal T^j reconstructs as many (say Mi) of 
the y-packets as it can (based on the x-packets it 
received in step 1). 

Reconciliation Phase: 

1) Alice identifies which Ali y-packets are known to each 
terminal T^. She provides them as input to the program 
specified in the Appendix, Section |C] which outputs 
a non-negative integer Ki for all i. Then she reliably 
broadcasts all the Ki. 

2) Each terminal Ti creates Ki linear combinations of the 
Mi y-packets that it reconstructed in the initial phase 
(we will call them z -packets). It reliably broadcasts both 
the contents and the coefficients of the z-packets. 

3) Each terminal Ti combines the z-packets it received with 
the y-packets it reconstructed in the initial phase, and 
reconstructs all the M = J2i y-packets. 

4) Alice creates L = M — '22i Ki linear combinations 
of the M y-packets (we will call them s-packets), 
using the construction specified in Lemma l6l (Section lAl 
Appendix). She reliably broadcasts the coefficients she 
used to create all the s-packets. 

5) Each terminal Tj reconstructs all the s-packets. The 
common secret is their concatenation S = (si, . . . , sl). 

D. Discussion of Key Points 

We illustrate the key points of the protocol by considering 
again the example where Alice, Bob, and Calvin want to 
establish a common secret S in the presence of passive 
eavesdropper Eve. 

The first difference from the Basic protocol is that we do 
not know how many a; -packets Eve receives in common with 
each terminal, so, we estimate it based on how many a; -packets 
various pairs of terminals receive in common (initial phase, 
step 3). For instance, suppose that, in step 1 of the initial 



phase, Alice transmits = 10 a; -packets. Bob receives xi, 
X2, X3, Xi, xj, and xg, while Calvin receives xi, x^, x^, and 
xq. Hence, Bob receives iVi = 6 x-packets, Calvin receives 
N2 — 'i x-packets. Bob and Calvin together receive a total of 
N* — 8 a; -packets, while they receive A/12 = 2 a; -packets in 
common. Hence, in step 3 of the initial phase, Alice computes 
Si = 0.33, S2 = 0.5, and Se — 0.5, and she creates a total of 
AfO ^SeN* ^ 4: y-packets. 

What we lose relative to the Basic protocol is that we cannot 
guarantee a minimum reUability, because we do not know how 
much information Eve collects during the initial phase: It is 
possible that Eve receives more a; -packets in common with 
the terminals than we estimate, which means that, at the end 
of the initial phase, she knows some fraction of the M y- 
packets, hence, at the end of the reconciliation phase, she 
knows some information about the L s-packets. Note that this 
does not mean that Eve knows the common secret S, only 
that she knows some information about it, which increases 
her probability of guessing it right. 

A side-effect of estimating the amount of information 
collected by Eve based on the information collected by the 
terminals is that the performance of the protocol depends 
on the number of terminals n: the more terminals we have, 
the more we learn about the quality of channels throughout 
the network, hence we can estimate the quality of Eve's 
channels better For instance, if we have only n — i terminals, 
when Alice transmits, she estimates how many a;-packets were 
received in common by Bob and Eve based on how many x- 
packets were received in common by Bob and Calvin; if it 
happens that the channel from Alice to Eve is significantly 
different from the channel from Alice to Bob, then the estimate 
is inaccurate. For n — 2 terminals, the protocol does not work 
at all, because Alice has no way of estimating how many x- 
packets Bob received in common with Eve. 

The second difference from the Basic protocol is that the 
terminals take turns in transmitting a; -packets (initial phase, 
step 1) and creating y-packets (initial phase, step 3). Hence, 
at the end of the initial phase, there exists no terminal that 
knows all the y-packets, and the reconciliation needs to happen 
in a distributed manner: we need to solve a program that takes 
as input which terminal knows which y-packets and outputs 
how many z-packets (linear combinations of y-packets) each 
terminal needs to reliably broadcast, such that all terminals 
learn all the y-packets (reconciliation phase, steps 1 and 2). 

What we lose relative to the Basic protocol is that we cannot 
guarantee a minimum efficiency, because we do not know 
how much information the terminals will have to broadcast 
during the reconciliation phase: At the end of the initial 
phase, all the terminals together have created M y-packets, 
where M depends on network conditions. In the reconciliation 
phase, all the terminals together broadcast K z-packets (linear 
combinations of y-packets), where K also depends on network 
conditions. Hence, at the end of the reconciliation phase. Eve 
knows at least K of the M y-packets, and the terminals 
create L = M — K s-packets (linear combinations of the 
y-packets). This means that the efficiency of the protocol is 



riN+td'-K ' which depends on the network conditions during 
the experiment. 

In summary, once we do not assume perfect knowledge of 
network conditions, we cannot offer formal guarantees about 
the reliability and efficiency of a protocol that relies precisely 
on these network conditions to generate a secret; we have 
to assess its reliability and efficiency experimentally, for the 
particular space where we want to deploy it. 

VII. Experimental Evaluation 

In this section, we experimentally evaluate the Adapted 
secret-agreement protocol in our testbed. 

When we refer to an "experiment," we mean that we place 
n terminals and Eve on the area covered by our testbed, such 
that each cell is occupied by at most one node, and we run one 
round of the Adapted protocol. We run one such experiment 
for each possible positioning of n terminals and Eve, and we 
run one such set of experiments for n = 3 to 8 terminals. 
For instance, we run 504 experiments with n — ?> terminals 
(because there are 504 different ways to position 3 terminals 
and Eve on our testbed), while we run 9 experiment with 
n — % terminals (because there are 9 different ways to position 
8 terminals and Eve on our testbed). 

A. Efficiency and Reliability of the Adapted Protocol 

Each graph we present shows efficiency or reliability as 
a function of the number of terminals n; for each value 
of n, we show three values: "minimum" is the minimum 
efficiency/reliability achieved during any experiment with n 
terminals; "average" is the average of the efficiency/reliability 
achieved across all experiments with n terminals; "50th quar- 
tile" and "95th quartile" is the minimum efficiency/reliability 
achieved during 50% and 95% of the experiments with n 
terminals. 

Figure |4(a)| shows the efficiency of the Adapted protocol: 
For n — % terminals, it has minimum efficiency Emin = 
0.038; given that the terminals transmit at rate 1 Mbps, this 
efficiency yields 38 secret Kbps. For n — 6 terminals, E„iin = 

0. 028, which yields 28 secret Kbps. The reason efficiency 
decreases with the number of terminals is related to the "zero 
secret size" problem (Section IVIb : when Alice transmits, it is 
possible that Eve receive all the a;-packets received by Bob (if 
the Alice-Bob channel happens to be the same with the Alice- 
Eve channel); we side-stepped this problem by making all the 
terminals transmit x-packets, thereby creating more channel 
diversity; however, the fewer the terminals we have, the less 
the diversity we create, hence the more likely it is for Eve to 
receive a large fraction of the x-packets received by Bob (or 
any one terminal). 

Figure |4(b)| shows the reliability of the Adapted protocol: 
For 71 = 8 terminals, it has minimum reliability Rmm — 1, 

1. e., in any experiment. Eve can correctly guess the value of a 
secret bit with probability 2^^ = 0.5 and the value of an 
s-packet with probability 2^^"" — > (each packet is 800 
bits). For n = 6 terminals, Rmm = 0.2, i.e., in the worst 
case. Eve can correctly guess the value of a secret bit with 



0.08 
0.07 
0.06 
,0.05 
0.04 
0.03 
0.02 
0.01 




l80 



Average 
50% Quartile 
95% Quartile 
Minimum 



70 " 



5 6 
Number of terminals (n) 

(a) Efficiency 




0.8 
0.6 
0.4 
0.2 



0.50 



0.57: 



0.66 CO 



0.76 S 



-0.87' 



1.00 



3 4 5 6 7 £ 

Number of terminals (n) 

(b) Reliability 

Fig. 4. Performance of the Adapted protocol as a function of the number 
of terminals n. For n = 8 terminals, we generate at least 38 secret Kbps 
with minimum reliability 1. For n = 7 and 6 temiinals, we generate at least 
28 secret Kbps with minimum reliability below 1, but such that Eve still has 
negligible probability of correctly guessing an s-packet. For fewer terminals. 
Eve's probability of correctly guessing an s-packet becomes non-neghgible. 

probability 2^°-^ = 0.87, but the value of an s-packet still with 
probability 2^°-^'^°° 0. The reason reliability decreases 
with the number of terminals is related to the "unpredictable 
secret size" problem (SectionlVB: each terminal estimates how 
many y-packets to create based on information provided by 
the other terminals; the fewer the terminals, the less accurate 
the estimate, hence the more likely it is to create more y- 
packets than are secret to Eve. Note that the "bad" experiments 
(where we achieve very low reliability) are relatively few: for 
71 = 6 terminals, in 95% of the experiments (i.e., possible node 
placements), Rmm — 0.5, i.e.. Eve can correctly guess the 
value of a secret bit with probability 0.7 and an s-packet with 
probability 2~"'^'®'^° 0. Also, for any number of terminals, 
in at least half of the node placements, we achieve minimum 
reliability 1 (the 50% quartile in Fig. |4(b)| is always 1). 

B. Privacy Amplification 

In the Adapted protocol, each terminal generates as many y- 
packets as (it estimates to be) possible, such that these packets 
remain secret from Eve; as we saw in the last section, for fewer 
than 8 terminals, this results in creating a larger secret than 
appropriate, hence achieving reliability well below 1. 

One practical — if not elegant — way of increasing reliability 
would be to add a conservative privacy-amplification step at 



^0.8 

!5 
a 

0.6 

E 

I 0.4 





/ /f 

/ /I 
/ / 

/ / 


- 




— ^ Rate=0. 5Kbps 




^>— Rate=1 Kbps 




— ♦— Rate=2Kbps 




Rate=5Kbps 



0.50 



0.57 - 



66 



76 



87' 



5 6 7 

Number of terminals (n) 



1.00 



Fig. 5. Performance of the Adapted protocol when using privacy amplifi- 
cation. The plot shows minimum reliability as a function of the number of 
terminals n, for different target secret bitstream rates. For n = 6 terminals, 
we get minimum reliability 1 for 5 secret Kbps or less. For n = 5 terminals, 
we get minimum reliability 1 for 0.5 secret Kbps or less. 

the end of the reconciliation phase of the Adapted protocol: 
instead of creating L — M ~ Ki linear combinations 
of the y-packets, create aL combinations, where a E (0, 1) 
depends on the target secret bitstream rate that we want to 
generate. For instance, with n — 6 terminals, the Adapted 
protocol yields a 28 Kbps bitstream, but achieves minimum 
reliability 0.2, because it creates a larger secret than it should; 
if we only care to generate a 1 Kbps secret bitstream, then 
we can instruct the protocol to create 0.035-L s-packets at the 
end of the reconciliation phase, which would result in higher 
reliability. 

Figure |5] shows the minimum reliability that we get as a 
function of the number of terminals n, for different target 
secret bitstream rates: if we instruct our protocol to generate 5 
secret Kbps, we get minimum reliability Rmin = 1 for n ~ 6 
or more terminals; if we instruct our protocol to generate 
0.5 secret Kbps, we get minimum reliability Rmin — 1 for 
n = 5 or more terminals. This suggests that our protocol could 
achieve higher reliability by adapting its secret-generation rate 
according to the number of participating terminals; exploring 
how exactly to perform this adaptation is part of our future 
work. 

VIII. Discussion 

In this section, we discuss the limitations of our proposal, 
outline ideas on how to address them, and state open chal- 
lenges. 

Collusion. We can model collusion by assuming that Eve is 
physically present in many network locations at the same time; 
in that case, she can use the union of the packets received at all 
locations to compromise the security of the common secret. 
In the theoretical model, this scenario is straightforward to 
address: by being present in many locations. Eve essentially 
decreases her erasure probability 6e', hence, the Basic protocol 
does not need to change, it only needs to use Eve's effective 
erasure probability. In a real testbed, we will have to be more 
conservative about the number of y-packets (hence, common 
secret) we create, depending on the level of collusion we want 
to prevent. For instance, suppose that Eve may be present in 



up to two network locations; Alice will have to estimate how 
many packets Bob and Eve received in common based on how 
many packets Bob, Calvin, and some other terminal received 
in common (as opposed to considering only Bob and Calvin). 
We expect the cost to be reduced efficiency. 

Less controlled environment. Our testbed implies a con- 
trolled environment, e.g., a military facility, where (i) we can 
rely on trusted interferers to create artificial noise, and (ii) 
we can assume that nodes located outside the perimeter of the 
testbed cannot overhear transmissions initiated from within the 
perimeter (e.g., because the testbed is within walls that are 
resistive to outgoing radio signals). Our ultimate goal is not a 
such controlled environment. We plan to explore the idea of 
having the terminals themselves generate the necessary noise, 
such that we do not require trusted interferers or well defined 
boundaries. 

Eve has a custom physical layer. In our testbed. Eve 
possesses a standard physical layer, which means that she 
cannot recover packets that are discarded by her physical 
layer One might argue that, if she had access to a custom 
physical layer, she could buffer these packets and collect some 
amount of information from them (because, presumably, not 
all the bits of a discarded packet are received incorrectly). Even 
though we did not perform experiments with custom hardware, 
we have some evidence that our results would still hold: we 
measured the bit error rate experienced by a terminal located 
in a row or column that is interfered with, for a wide range of 
packet sizes; we found that the bit error rate remains constant, 
independently from the packet size; this is consistent with our 
expectation that, when a packet is lost due to our artificial 
interference, most of its bits are received incorrectly by the 
physical layer of the device. 

Eve has directional antennae. In our testbed. Eve is 
a commodity wireless node. One might argue that, if she 
had access to larger and/or directional antennae, she could 
use them to cancel out the interferes' noise. Making our 
interference robust to such attacks is something we want to 
explore in our future work. However, we should note that our 
interference is nearly omnidirectional, hence we expect larger 
and/or directional antennae not to make it significantly easier 
for Eve to cancel it out. 

Residual uncertainty. In our testbed, we achieve reliability 
below 1 in certain experiments, which is a result of the 
"unpredictable secret size" problem (Section IVTt . We want to 
improve this through more sophisticated interference, e.g., by 
using beam forming. However, we would like to note that some 
level of uncertainty will be unavoidable in a real network. 
This is similar to the uncertainty that exists in different 
settings, e.g., electromagnetic emissions modeling in side- 
channel attacks fS], f9l. In Quantum Key Distribution as well, 
experimental deployments still have uncertainty limitations 
w.r.t. the idealized system — these limitations were especially 
severe in the first deployments fl\. 

Jamming attacks. If Eve employs a jamming radio signal, 
she can disrupt all communication and cause a denial-of- 
service attack. However, she then reveals her presence, and 



homing tools can be used to geographically locate her. Such 
attacks are endemic to wireless communications, and several 
methods have been proposed to counteract them, including 
use of spread-spectrum, priority messages, lower duty cycle, 
region mapping, and mode change lf35l . Il36l . 

Artificial noise is necessary. When we started this work, 
we did not consider using artificial noise; instead, we were 
planning to rely on the natural wireless channel conditions. We 
found that any node's (hence, also Eve's) erasure probability 
under natural network conditions can be very low (on the order 
of 10"'^), which means that, unless we artificially increase it, 
secret generation will be very slow (on the order of a few bits 
per second). 

Moving beyond idealized modeling. A valid criticism 
of information-theoretical security is that the security proofs 
assume idealized models; we also started by assuming an 
idealized model, but took two further steps: (i) we attempted to 
artificially create network conditions that emulate the idealized 
model and (ii) we adapted our basic protocol to these network 
conditions. Ours is a proof-of-concept first attempt to emulate 
an idealized model: we could do more careful modeling of 
the natural wireless environment and the received signals, and 
we could use more sophisticated antennae, as well as more 
carefully calibrated interference. Still, we believe that our 
results are promising, not only in their own merit, but also 
because they indicate that it might be possible, with similar 
methods, to translate other protocols that assume ideahzed 
models to practical systems. 

IX. Related Work 

> Information-theoretical secrecy with idealized model: In 
a seminal paper on "wiretap" channels, Wyner fTSl pioneered 
the notion that one can establish information-theoretic secrecy 
between Alice and Bob by utilizing the noisy broadcast nature 
of wireless transmissions. However, his scheme works only 
with perfect knowledge of Eve's channel and only if Eve has 
a worse channel than Bob. In a subsequent seminal work, Mau- 
rer [17] showed the value of feedback from Bob to Alice, even 
if Eve hears all the feedback transmissions (i.e., the feedback 
channel is public). He showed that even if the channel from 
Alice to Eve is better than that to Bob, feedback allows Alice 
and Bob to create a key which is information-theoretically 
secure from Eve. This line of work has led to a rich set 
of literature on pairwise unconditional secret-key agreement 
with public discussion (see [18| and references therein). In 
|fT9l , the authors proposed increasing pairwise secrecy through 
friendly jamming, but still assuming perfect knowledge of 
Eve's channel. The problem of key agreement between a set 
of terminals with access to noisy broadcast channel and public 
discussion channel (visible to the eavesdropper) was studied 
in 1 20 1, where some achievable secrecy rates were established, 
assuming Eve does not have access to the noisy broadcast 
transmissions. This was generalized in fTl] by developing 
(non-computable) outer bounds for secrecy rates. To the best of 
our knowledge, ours is the first work to consider multi-terminal 
secret key agreement over erasure networks, when Eve also has 



access to the noisy broadcast transmissions. Moreover, unlike 
the works in [161, [T71, (2T\ that assume infinite complexity 
operations, our scheme is computationally efficient. 

> Practical protocols for pairwise secrecy: The fact that we 
establish information-theoretic secrecy for a group of nodes 
fundamentally distinguishes our work from a class of protocols 
recently proposed in the Uterature, which aim to extract 
pairwise information theoretical secrecy from physical channel 
characteristics. This class of protocols establishes secret keys 
between two parties, Alice and Bob, in the presence of a 
passive adversary Eve, building on different characteristics of 
physical signals, such as UHF channel values [22,1 . Rayleigh 
fading ||23l , channel impulse responses Il24l . ||25l , ultra-wide 
band (UWB) channel properties [261, and phase reciprocity 
1,27 J . These works leverage the reciprocity of the physical 
wireless channel between Alice and Bob to establish a com- 
mon secret between them; Closer to our work are perhaps 
[28] and [291 , although they still generate pairwise secrecy 
without interaction. The work in il28l is the only paper, as 
far as we know, which employs erasures; the work in (29] 
has Bob deliberately introduce errors into the transmissions 
of Alice to confuse Eve. Unlike our work, all these schemes 
offer modest secrecy rates (for example of the order 10 bits/s 
by the scheme in 1,24 J ) which is orders of magnitude lower 
than what our scheme can achieve. Moreover, they rely on the 
reciprocity of the channel between Alice and Bob, and thus 
do not scale well as the number of nodes increases. Similarly, 
to achieve pairwise secrecy, a recent work il30l proposes to 
artificially enhance the randomness of the channel fading. In 
contrast, in this work we use active interference to emulate 
noisy (erasure) channel conditions that we then utihze to create 
the appropriate channel conditions for group secrecy. 

> Computational group secrecy: Group secret key genera- 
tion with computational security guarantees has also received 
significant attention (see BTl . Il32l and references therein). 

X. Conclusions 

We have presented a protocol that enables a group of 
nodes, connected to the same broadcast channel, to exchange 
a common secret bitstream in the presence of an adversary. 
Our protocol does not use public -key (or any classic form of) 
cryptography and relies, instead, on the assumption that an 
eavesdropper may overhear big chunks of the communication 
between the other nodes, but cannot overhear all the bits re- 
ceived by any single node. The key properties that differentiate 
our protocol from prior theoretical work are that it works for an 
arbitrary number of nodes, has polynomial complexity, and is 
implementable in simple devices without any changes to their 
physical or MAC layers. On the practical side, as a proof of 
concept, we adapted our protocol to a small wireless testbed of 
14 m^ and presented an experimental demonstration of ri = 8 
wireless nodes generating a 38 Kbps common secret bitstream 
in the presence of an adversary (located at least 1.76 m away 
from any other node). To the best of our knowledge, ours 
is the first experimental evidence of generating information- 
theoretically secret bits at kilobit-per-second rates. 



References 

[I] W. Diffie and M. E. Hellman, "New directions in cryptography," 
IEEE Transactions on Information Theory, vol. 22, no. 6, pp. 644- 
654, 1976. 

[2] R. L. Rivest, A. Shamir, and L. Adleman, "A method for 
obtaining digital signatures and public-key cryptosystems," Com- 
munications of the ACM, vol. 21, no. 2, pp. 120-126, 1978. 

[3] Companies developing QKD systems: id Quantique, MagiQ 
Technologies, SmartQuantum and Quintessence Labs. 

[4] A. Mink, X. Tang, L. Ma, T. Nakassis, B. Hershman, J.C. 
Bienfang, D. Su, R. Boisvert, C. W. Clark, and C. J. Williams, 
"High speed quantum key distribution system supports one- 
time pad encryption of real-time video," Proceedings of SPIE, 
vol. 6244, 2006. 

[5] C. H. Bennett, F. Bessette, G. Brassard, L. Salvail, and J. Smolin, 
"Experimental quantum cryptography," Journal of Cryptology, 
vol. 5, no. 1, pp. 3-28, 1992. 

[6] V. Scarani, H. Bechmann-Pasquinucci, B. Cerf, M. Dusek, N. 
Lutkenhaus, and M. Peev, "The security of practical quantum 
key distribution," Reviews of Modern Physics, vol. 81, July-Sept. 
2009. 

[7] G. Brassard, N. Ltkenhaus, T. Mor, and B. C. Sanders, "Lim- 
itations on practical quantum cryptography," Physical Review 
Letters, vol. 85, no. 6, 2000. 

[8] B. Yang, K. Wu, and Ramesh Karri, "Scan based side channel 
attack on dedicated hardware implementations of data encryption 
standard," International Test Conference, 2004. 

[9] Y. Zhou, D. Feng, "Side-channel attacks: ten years after its 
publication and the impacts on cryptographic module security 
testing," Cryptology Eprint Archive, 2005. 

[10] D. R. Stinson, "Cryptography", Hapman & Hall/CRC, 2002. 

[II] C. Fragouli and E. Soljanin, "Network coding fundamentals," 
Foundations and Trends in Networking, June 2007. 

[12] F. J. Macwilliams and N. J. A. Sloane, "The theory of error 

correcting codes," North-Holland, 2006. 
[13] Horn and Johnson, "Matrix analysis", Cambridge press, 1985. 
[14] M. Mitzenmacher and E. Upfal, "Probability and computing, 

randomized algorithm and probabilistic analysis," Cambridge 

University Press, 2006. 
[15] Rice University Wireless Open-Access Research Platform 

(WARP), http://warp.rice.edu. 
[16] A. D. Wyner, "The wire-tap channel," Bell System Tech. J., 

vol. 54, pp. 1355-1387, Oct. 1975. 
[17] U. M. Maurer, "Secret key agreement by public discussion from 

common information," IEEE Transactions on Information Theory, 

vol. 39, pp. 733-742, 1993. 
[18] B. Kanukurthi and L. Reyzin, "Key agreement from close 

secrets over unsecured channels," EUROCRYPT, 2009. 
[19] E. Perron, S. N. Diggavi, and E. Telatar, "On noise insertion 

strategies for wireless network secrecy," Information Theory and 

Applications workshop (ITA), pp. 77-84, UCSD, Feb. 2009. 
[20] I. Csiszar and P. Narayan, "Secrecy capacities for multiterminal 

channels," IEEE Transactions on Information Theory, vol. 54, 

no. 6, pp. 2437-2452, June 2008. 
[21] A. Gohari and V. Anantharam, "Information-theoretic key 

agreement of multiple terminals - Part II: channel model," IEEE 

Transactions on Information Theory, vol. 56, no. 8, pp. 3997- 

4010, Aug. 2010. ' 
[22] J. Hershey, A. Hassan, and R. Yarlagadda, "Unconventional 

cryptographic keying variable management," IEEE Transactions 

on Communications, vol. 43, no. 1, pp. 3-6, Jan. 1995. 
[23] B. Azimi-Sadjadi, A. Kiayias, A. Mercado, and B. Yener, "Ro- 
bust key generation from signal envelopes in wireless networks," 

in ACM CCS, Alexandria, Virginia, USA, 2007. 



[24] C. Ye, S. Mathur, A. Reznik, Y. Shah, W. Trappe, and 
N. Mandayam, "Information-theoretically secret key generation 
for fading wireless channels," IEEE Transactions on Information 
Forensics and Security, vol. 5, no. 2, pp. 240-254, Jun. 2010. 

[25] J. Croft, N. Patwari, and S. Kasera, "Robust uncorrelated bit 
extraction methodologies for wireless sensors," in ACM IPSN, 
Sweden, Apr. 2010. 

[26] R. Wilson, D. Tse, and R. Scholtz, "Channel identification: 
Secret sharing using reciprocity in ultrawideband channels," IEEE 
Transactions on Information Forensics and Security, vol. 2, no. 3, 
pp. 364-375, Sep.' 2007. 

[27] H. Koorapaty, A. Hassan, and S. Chennakeshu, "Secure infor- 
mation transmission for mobile radio," IEEE Communications 
Letters, vol. 4, no. 2, pp. 52-55, Feb. 2000. 

[28] S. Xiao, W. Gong, and D. Towsley, "Secure wireless commu- 
nication with dynamic secrets," in IEEE INFOCOM, 2010. 

[29] A. Arora and L. Sang, "Dialog codes for secure wireless 
communications," in ACM IPSN, pp. 13-24, San Francisco, Apr. 
2009. 

[30] Y. Abdallah, M. Latif, M. Youssef, A. Sultan, and H. El-Gamal, 
"Keys through ARQ: theory and practice," IEEE Transactions on 
Information Forensics and Security, pp. 737-751, Sept. 2011. 

[31] M. Burmester and Y. Desmedt, "A secure and efficient confer- 
ence key distribution system," Advances in Cryptology, EURO- 
CRYPT'94, Lecture Notes in Computer Science, 1995. 

[32] Y. Kim, A. Perrig, and G. Tsudik. "Group key agreement 
efficient in communication," IEEE Transactions on Computers, 
vol 53, pp. 905-921, July 2004. 

[33] S. El Rouayheb, A. Sprintson, and P. Sadeghi, "On coding for 
cooperative data exchange," IEEE Information Theory Workshop 
(ITW), Jan. 2010. 

[34] T. A. Courtade and R. D. Wesel, "Efficient universal recovery 
in broadcast networks," Allerton Conference on Communication, 
Control, and Computing, Oct. 2010. 

[35] W. Xu, W. Trappe, Y. Zhang, and T. Wood, "The feasibility of 
launching and detecting jamming attacks in wireless networks," 
ACM MobiHoc, 2005. 

[36] C. Popper, M. Strasser, and S. Capkun, "Jamming-resistant 
broadcast communication without shared keys," USENIX Security 
Symposium, 2009. 

Appendix 

A. Proof of Lemma Q] 

Eve has two occasions to obtain information about the secret 
S: in step 1 of the initial phase, she receives Ne x-paclcets; 
in step 1 of the reconciliation phase, she receives the M — L 
2;-packets that are reliably broadcast by Alice. According to 
Lemmas |5] and |6] Eve obtains no information about S in either 
occasion. In Lemma [T] we prove exponential convergence to 
the average values. ■ 

Lemma 5. Consider a set of N x-packets, say xi, . . . , xn, 
and assume Eve has a subset of size Ne of the x-packets. 
Construct N — Ne y-packets, say yi , . . . , j/m, 

Y = AX, 

where matrix X has as rows the N x-packets, matrix Y has 
as rows the N — Ne y-packets, and A is the generator matrix 
of a Maximum Distance Separable (MDS) linear code with 
parameters [N, N — Ne, Ne + 1] (e.g., a Reed-Solomon code 
[12]). Then the M y-packets are information-theoretically 
secure from Eve, irrespective of which subset ( of size Ne ) 
of the x-packets Eve has. 



Proof: oLet be a matrix that has as rows the packets Eve 
has. To prove that the y-packets are information-theoretically 
secure from Eve, we must show that: 



H{Y\W) = H{Y). 



> We can write 



Y 




A 


W 







X =^ BX, 



where A^; is a Ne x N matrix of rank(A£;) = Ne, which 
specifies the Ne distinct x-packets that are known to Eve. Ae 
is not known to us, however we know is that in each row of 
Ae there is only one 1 and the remaining elements are zero; 
so all of the vectors in the row span of Ae have Hamming 
weight (the number of nonzero elements of a vector ifTZl ) less 
than or equal to Ne- On the other hand, from construction, 
rank(A) = N — Ne, and each vector in the row span of A 
has Hamming weight larger than or equal to Ne + 1 lfT2l : thus 
the row span of A and Ae are disjoint (except for the zero 
vector) and the matrix B is full-rank, i.e. rank(_B) = N. 
> If the packets Xi have length A, we have that: 

H{Y\W) ^ H{Y, W) - H{W) = 
= rank {B) A - rank(yli5)A = {N - Ne)A 
= rank(A)A = iJ(r). ■ 

Lemma 6. Consider a set of M y-packets, say j/i , . . . , i/m, 
and a set of M — L z-packets, say zi, . . . , zm-l, related as 

Z = AzY, 

where matrix Y has as rows the M y-packets, matrix Z has as 
rows the M — L z-packets, and Az is a known M — Lx M full 
rank matrix. Assume that Eve knows all the z-packets. Using 
any standard basis-extension method [13], find an L x M 
matrix As, with rank(A5) = L, such that 



rank 



As 
Az 



= M. 



Then we can construct L s-packets, say si, 
S = AsY, 



,sl, as 



where matrix S has as rows the s-packets, that are 
information-theoretically secure from Eve. 

Proof: To prove that the s-packets are information- 
theoretically secure from Eve, we need to show that H{S\Z) = 
H{S). Similarly to the proof of Lemma|5] if the y-packets have 
length A, we have that: 



rank 



As 
Az 



A- 



HiS\Z)=H{S,Z)-H{Z) 
-rank(ylz)A = LA = rank(As)A = i7(S). ■ 

Lemma 7. The values of the parameters in Lemma\l\converge 
exponentially fast in N to their expected values. 

Proof: Let us consider the random variables M, Mi, 
and L defined in Section |III1 For convenience, we will work 



with the normalized random variables M = M /N, M 
MtJN, and L = L/N. Define the random variable rlf^ as 



1 if the jth x-packet is received 

by Ti but not by Eve, 
otherwise. 



Then we can write Mi — J2f=i "Hj^ have p — 

Pi = K [Mi] = (1 — S)Se- As defined before, we have also 
L = mini Mi . Now the efficiency E ~ — calculated in 



l+M-L 

Lemma |2J itself is a random variable, and using the Chemoff 
bound we can show that it concentrates exponentially fast in 
N to ■ It is easy to see that E [I] (1-(5)(5b p 

and pm — E [M] = {1 — S"^~^)6e- Using concentration 
results (Chemoff bound lfT4l Chapter 4]), we can easily show 
that, P[|L-/i| > ep] < exp (-Q{ne'^ pN)) . Using similar 
argument for M we can also write P [|M — pm\ > cMa/] < 
exp (^-~n{e^ PmN)). Because both M and L concentrate 
around their expected values exponentially fast in N, so does 
the efficiency E. ■ 

B. Proof of Lemma |4] 

We concentrate on Alice (the other terminals perform fewer 
operations). In step 3 of the initial phase, Alice creates up to 
N y-packets, using the construction specified in lemma |5j this 
requires up to N^ operations. In step 1 of the reconciliation 
phase, she creates up to — L z-packets, using a network 
coding construction ifTTl : this requires up to [N — L)N'^ 
operations. In step 3 of the reconciliation phase, she creates L 
s-packets, using the construction specified in Lemma |6j this 
requires up to LN'^ operations. 

Thus, Alice performs at most 2A^^ operations to create L = 
(5£;(1— maxi 5i)N secret packets. For 5e and 6i constant, Alice 
performs 0{N'^) operations per secret packet. ■ 

C. Coded Cooperative Data Exchange 

Assume we have n nodes and a set of packets; each node 
has a subset of the packets, and is interested in collecting the 
ones she misses. We want to achieve this using the minimum 
total number of transmissions from the nodes. We can solve 
this problem in polynomial time |[33l . |[34l ; for completeness, 
we provide in the following an Integer Linear Program (ILP) 
that accepts an efficient polynomial-time solution Il34l . 

We will use the following notation: 

• £: a subset of the nodes; there exist 2" such subsets. 

• C^: set of all nodes not in C. 

• Vf: set of all packets that node i does not have. 

• Ki. total number of transmissions that source i makes. 

min + /l2 + • • . + Kr, 
subject to 

K, e Z+. 



